takescoop / eslint-config-scoop Goto Github PK
View Code? Open in Web Editor NEWScoop's ESLint configuration, primarily for Node.js
License: MIT License
Scoop's ESLint configuration, primarily for Node.js
License: MIT License
With npm 2 (shipped w/ node 4) this project won't work because it doesn't flatten the dependency (and more precisely, because eslint is looking for a peer dependency which is outlined here: eslint/eslint#3458)
From @andrewtamura
// wrong:
doSomething(
doSomethingA,
doSomethingB)
// correct:
doSomething(
doSomethingA,
doSomethingB
)
Andrew suggested we can fix via the correct config of function-paren-newline
.
I am a bit worried that could cause regressions from our standard styles so we should include a more complete example file to test for that.
simple, flexible, fun test framework
Library home page: https://registry.npmjs.org/mocha/-/mocha-9.1.3.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/mocha/package.json
Dependency Hierarchy:
Found in base branch: master
There is regular Expression Denial of Service (ReDoS) vulnerability in mocha.
It allows cause a denial of service when stripping crafted invalid function definition from strs.
Publish Date: 2021-09-18
URL: WS-2021-0638
Base Score Metrics:
Step up your Open Source Security Game with Mend here
http://eslint.org/docs/rules/global-require
This generally matches our style. There are a few exceptions we tend to make (often around using knex).
JSON for humans.
Library home page: https://registry.npmjs.org/json5/-/json5-1.0.1.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/json5/package.json
Dependency Hierarchy:
Found in base branch: master
JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse
method of the JSON5 library before and including version 2.2.1
does not restrict parsing of keys named __proto__
, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse
and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse
. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse
should restrict parsing of __proto__
keys when parsing JSON strings to objects. As a point of reference, the JSON.parse
method included in JavaScript ignores __proto__
keys. Simply changing JSON5.parse
to JSON.parse
in the examples above mitigates this vulnerability. This vulnerability is patched in json5 version 2.2.2 and later.
Publish Date: 2022-12-24
URL: CVE-2022-46175
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175
Release Date: 2022-12-24
Fix Resolution: json5 - 2.2.2
Step up your Open Source Security Game with Mend here
http://eslint.org/docs/rules/curly
We are practicing this by convention at this point, though there are some leftover spots. We want to discourage:
if (condition) x = 5
and encourage (at least with regard to curly brace style):
if (condition) {
x = 5
}
const x = { 'something': {} }
When the value is an empty object the config is currently expecting this, which seems off.
{ 'something': {}}
The error is:
error There should be no space before '}' object-curly-spacing
reported by @eladidan
migration guide: http://eslint.org/docs/user-guide/migrating-to-3.0.0
I've reviewed the new recommended rules & don't think we need to change anything. no-unsafe-finally
is a nice addition.
This should be a semver major release for this repo since peers will need to be bumped in all the dependent projects.
Our commonJS import style is not enforceable by the built-in eslint rules. We can write our own ESLint plugin to enforce our commonJS import style.
Here is the current style that we would like to enforce:
bar
before foo
)use strict
we only do comparisons like this:
if (typeof x === 'string') {
console.log('yep')
}
We want to avoid things like this:
if (typeof x === undefined) {
console.log('this never evals true')
}
It looks like the requireStringLiterals
option was added to eslint in August to error on the latter case since in JS undefined
can be reassigned eslint/eslint#6698
Aren't really any valid use cases for us doing something like below, so enable this rule.
function doSomething() {
return foo = bar + 2;
}
https://eslint.org/docs/rules/no-var
This is not part of eslint:recommended
.
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Path to dependency file: eslint-config-scoop/package.json
Path to vulnerable library: eslint-config-scoop/node_modules/mocha/node_modules/minimist/package.json
Dependency Hierarchy:
Found in HEAD commit: cde4bf2d18512e8b8ead138d85ff396e125d1e7b
Found in base branch: master
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/substack/minimist/commit/63e7ed05aa4b1889ec2f3b196426db4500cbda94
Release Date: 2020-03-11
Fix Resolution: minimist - 0.2.1,1.2.3
Step up your Open Source Security Game with WhiteSource here
simple, flexible, fun test framework
Library home page: https://registry.npmjs.org/mocha/-/mocha-5.2.0.tgz
Path to dependency file: eslint-config-scoop/package.json
Path to vulnerable library: eslint-config-scoop/node_modules/mocha/package.json
Dependency Hierarchy:
Found in HEAD commit: cde4bf2d18512e8b8ead138d85ff396e125d1e7b
Found in base branch: master
Mocha is vulnerable to ReDoS attack. If the stack trace in utils.js begins with a large error message, and full-trace is not enabled, utils.stackTraceFilter() will take exponential run time.
Publish Date: 2019-01-24
URL: WS-2019-0425
Base Score Metrics:
Type: Upgrade version
Origin: v6.0.0
Release Date: 2020-05-07
Fix Resolution: https://github.com/mochajs/mocha/commit/1a43d8b11a64e4e85fe2a61aed91c259bbbac559
Step up your Open Source Security Game with WhiteSource here
Example of what our settings would be:
"indent": [
2,
4,
{
"SwitchCase": 1,
"MemberExpression": 0
}
]
blocked by #3
Disallow newlines before the closing of a block. Eg:
Disallowed:
function foo() {
console.log('meaningful work')
}
if (bar) {
baz()
}
// One space after the `async` keyword
async () => stuff
async function() { ... }
// No spaces after the `async` keyword
async() => stuff
// More than one space after `async` keyword
async () { ... }
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/minimatch/package.json
Dependency Hierarchy:
Found in base branch: master
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
Base Score Metrics:
Step up your Open Source Security Game with Mend here
A tiny (108 bytes), secure URL-friendly unique string ID generator
Library home page: https://registry.npmjs.org/nanoid/-/nanoid-3.1.25.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/nanoid/package.json
Dependency Hierarchy:
Found in base branch: master
The package nanoid from 3.0.0 and before 3.1.31 are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.
Publish Date: 2022-01-14
URL: CVE-2021-23566
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-01-14
Fix Resolution (nanoid): 3.1.31
Direct dependency fix Resolution (mocha): 9.1.4
Step up your Open Source Security Game with Mend here
The version of eslint
that we're on does not yet support ecmaVersion 10 so apps on node 10 must specify ecmaVersion: 8
.
See the following failing test: https://circleci.com/gh/TakeScoop/eslint-config-scoop/69
We should enforce the following style:
['one', 'two']
over this style:
[ 'one', 'two' ]
This will enforce new lines between class methods and so on. Seems pretty consistent with our style but have occasionally seen inconsistency by devs.
Right now, the linter doesn't enforce (! ) vs. (!). Our style prefers the latter.
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These updates have been manually edited so Renovate will no longer make changes. To discard all commits and start over, click on a checkbox.
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
mocha
, @types/mocha
)@typescript-eslint/eslint-plugin
, @typescript-eslint/parser
).circleci/config.yml
artifactory 1
node 4.7.0
package.json
@typescript-eslint/eslint-plugin ^5.5.0
@typescript-eslint/parser ^5.5.0
eslint-import-resolver-typescript ^2.5.0
eslint-plugin-implicit-dependencies ^1.0.4
eslint-plugin-import ^2.25.3
@hapi/code ^8.0.5
@types/mocha ^9.0.0
@types/node ^16.11.11
eslint ^8.0.0
mocha ^9.0.0
typescript ^4.5.2
eslint ^8.0.0
node >=12
I've never seen anybody deliberately use the comma operator, but I've run into a couple cases of people accidentally using it where they meant to use a comma for something normal and being surprised that it wasn't a syntax error.
ESLint has the no-sequences
rule that disallows the comma operator outside for-loops and expressions wrapped inside parentheses, but I think we should actually just bar it altogether:
{
"rules": {
"no-restricted-syntax": ["error", "SequenceExpression"]
}
}
Add [{ blankLine: "always", prev: "*", next: "return" }]
to the padding-line-between-statements
config to enforce newlines before returns when the return statement is not the only line of code in the block. Examples of enforcement can be found here, the first example specifically:
https://eslint.org/docs/rules/padding-line-between-statements#examples
With increasing interesting in async
/await
and diminishing interest in Bluebird, it seems appropriate to allow applications to use Promise
like any other global. We could still allow users to do const Promise = require('bluebird')
(seems confusing) or make a breaking change preventing global overrides and promoting const Bluebird = require('bluebird')
. I think in a world where Bluebird is on its way out as a standard feature of Node apps it's worth switching old apps to Bluebird
as an identifier when they upgrade the linter.
See https://github.com/TakeScoop/kube-run/pull/1/files#r258305516
There was some code like this:
.then(function(x) {
return Promise.map([6, 3], daysSince =>
doSomething({
x: 'x',
daysAgo: daysSince
})
)
})
The lone )
looks really out of place compared to rest of our code and readability here is harmed. This actually is an implicit return but looks like someone forgot to return or forgot to close a bracket.
It's risky to not check this as another rule could cause linting of these failure cases to "fail" (i.e. pass testing) and we wouldn't notice the change.
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz
Path to dependency file: /package.json
Path to vulnerable library: /node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in base branch: master
The package glob-parent from 6.0.0 and before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)
Publish Date: 2021-06-22
URL: CVE-2021-35065
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-cj88-88mr-972w
Release Date: 2021-06-22
Fix Resolution: glob-parent - 6.0.1
Step up your Open Source Security Game with Mend here
https://eslint.org/docs/rules/array-element-newline
The consistent
option to array-element-newline
rule will enforce the style that we want.
/*eslint array-element-newline: ["error", "consistent"]*/
var a = [];
var b = [1];
var c = [1, 2];
var d = [1, 2, 3];
var e = [
1,
2
];
var f = [
1,
2,
3
];
var g = [
function foo() {
dosomething();
}, function bar() {
dosomething();
}, function baz() {
dosomething();
}
];
var h = [
function foo() {
dosomething();
},
function bar() {
dosomething();
},
function baz() {
dosomething();
}
];
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.